Can Optus confirm if their SIM cards have the embedded
S@T Browser (a dynamic SIM toolkit), within their SIM cards? If so, are they taking steps to update their security at the network level by filtering, which can be implemented to intercept and block the illegitimate binary SMS messages as recommended by the SIM Alliance. Will they also be offering replacement sim cards with fixes at the SIM level?
This sim card flaw has been possible since 2009 and the full exploit will be published in October opening the doors to sim jacking by far more individuals. It has already been demonstrated that the original exploiter has been using this attack method for over 2 years!
Disclosed by researchers at AdaptiveMobile Security, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.
During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.
Optus needs to take this seriously and disclose if we're currently vulnerable and what steps they're going to take to mitigate this.
Solved! Solved: Go to Solution.
Came here to ask this, having read this: https://thehackernews.com/2019/09/simjacker-mobile-hacking.html.
Optus, any response yet?
Does anyone from Optus review these posts or do I need to go old school and write an actual letter to Optus?
It's been over a week since I first posted about this issue and have not had a response in regards to this. Since this is a known and published issue...if people suffer from this and Optus has chosen to not do anything about it...does it open up the possibility of a class action lawsuit? I would think this is serious enough that Optus would put a fix in place ASAP and keep it's customers informed.
Spot on, _B-Rad_,
Optus needs to clarify urgently
I think you raise some valid concerns and good on you for raising the topic - given the newness of the discovery, it may take some time for an official response from Optus. Leaving the question unanswered would only cause more unnecessary concerns for users. According to Telefonica's equivalent of YesCrowd, their O2 Mobile company in the UK have stated their SIMs do not use the S@T Browser, so I am no sure if it is a simple as stating that or if it is a more complex issue for other carriers if a certain percentage of their SIMs do.
It seems like it is 'hot off the press' news with more details to follow when Adaptive Mobile Security present their findings at a London conference in early October. Web posts seem to indicate the exposure relates from 2009, and today it is more prevalent in undeveloped countries using older technology networks. The alleged originator is a "private surveillance company, a highly sophisticated actor, that works with Governments to monitor targeted individuals".
Governments may require this ability for law enforcement and national security reasons, however given the state of world affairs it could also be used for political, financial and other sinister reasons. All carriers around the world have to comply, to various degrees, with demands from relevant sovereign Government agencies responsible for their country's communications and security. Allegedly and interestingly, it doesn't appear to effect any of the US Carriers raising some more questions as to the identity of the actor.
One would hope it has not extended itself as a freely down loadable Open Source based App from a web site for people to reak merry hell with across the world. We have enough of those all ready! Will be interested to see what happens next month.
I was mindful of the possibility that this exists as an intentional backdoor for the government, and covered that under "legitimate" (up to a point). Even if that were the case, Optus should still be blocking these SMSs that originate outside its management network e.g. other Optus customers or customers of other carriers (anywhere in the world). The current situation seems untenable.
Various pieces of anecdotal evidence, including that it is not required in the US or the UK, hint that it is not required here either - and that this is down to stupidity (on someone's part) rather than malice i.e. stuff up rather than conspiracy.
@_B-Rad_ - I just realised I had omitted to acknowledge you in my reply which was in response to your original post. Apologies. I think all contributors have raised valid concerns and I will continue to track the progress of your enquiry. It's good to know what is going on. Cheers.
Thanks for raising this concern.
Confirming our SIMs do not use the S@T browsers so Optus customers are not exposed to this vulnerability.
Furthermore, our Networks team have advised we also mitigate against this specific issue by blocking illegitimate binary SMS messages that could address the SIM vulnerability described.
Please see this more recent article for an update: https://www.itwire.com/security/simjacker-australians-are-safe.html
@Ray_YC Thank you for getting back to us with a complete answer covering the different aspects of this issue. Very happy to know that not only are we not vulnerable to this particular issue but that Optus also have mitigations in place to hopefully prevent any other similar flaws in the system. Too often half arsed responses are tossed out which is why I really appreciate your complete response.